Posts categorized "IETF"

September 10, 2014

"What is a minimum set of specifications that a vendor must implement to be able to say that it is SIP-compliant?"

A friend asked me that question and my response was:

It depends.

and even more unfortunately:

I don't know.

It turns out to be a challenging question to answer... and it led me to ask:

How do we define what "SIP" is for telecommunications in 2014?

How do we help vendors move their products/services to be based on SIP?

As we talk about "turning off the PSTN" and "moving all telecom to IP", how can we make it easier for companies to switch to using SIP?

The reality is that being "SIP-compliant" does turn out to depend upon where in the larger SIP interconnection ecosystem the vendor is located.

Is the vendor:

a SIP client, in terms of a "hard" phone, a softphone, or other application that is seeking to connect to a SIP server?

a SIP server seeking to connect to a SIP "service provider" to have connectivity out to the PSTN and other SIP networks?

a SIP service provider seeking to interconnect with other SIP service providers and to the PSTN?

a middlebox such as a firewall or session border controller (SBC) seeking to be in the middle of a SIP communication stream?

an application that interacts with SIP systems in some way? (ex. call recording, IVR, networking monitoring)

To be "SIP-compliant" really means you need to figure out what amount of "SIP" you need to implement to play your part in the larger picture. Particularly when the SIP "architecture" we describe isn't the pretty little picture we use:

but rather a much more complex reality:

Unfortunately, the "Session Initiation Protocol" (SIP) is no longer just good old RFC 3261 and a few friends. RFC 3261 provided a radical new way to do telecommunications... it was "HTTP for voice"... it was simple, easy and pretty amazing. If you have a moment, go back and read RFC 3261. It's a remarkable document and set of ideas.

However, there were two factors that started to complicate "SIP":

the "Internet" community kept thinking of new and innovative ways that they could do more with SIP-based telecommunications; and

the traditional telecom companies/vendors kept wanting to bring across more and more legacy PSTN functionality into the world of SIP, typically without changing that PSTN functionality so that they wouldn't have to change their business models or processes.

This combination set SIP up to slowly become more and more of an accretion of various hacks and kludges designed to either enable SIP to unleash new possibilities and/or to take over key functionality from the PSTN.

But in doing so it became so much harder to define what "SIP" was.

Back around 2008/2009, Jonathan Rosenberg tried with his "Hitchiker's Guide to SIP" that was published as RFC 5411 in February 2009:

Now consider that this contained about 26 pages worth of documents to be referenced... and this was back in 2009! In the 5 years since, the "Realtime Applications and Infrastructure (RAI)" area of the IETF has been extremely busy and a similar document today would be be MUCH longer.

But does such a long list really help?

Going back to to my list of different roles within the SIP ecosystem, do we need more narrower lists for each role? A SIP client connecting to an IP-PBX may not need to implement all of the same specifications as a SIP service provider connecting to the PSTN.

What is the minimum set of SIP specifications for each role?

The good news is that for the second role I mention, the SIP server to SIP service provider, the SIP Forum has done some outstanding work with their SIPconnect initiative. You can find more info at:

You can download the SIPconnect 1.1 technical specification and see the great amount of work they have done. The idea is that ultimately any "SIPconnect-compliant" IP-PBX or other SIP server can connect to any "SIPconnect-compliant" SIP service provider. It should "just work" with a minimum amount of testing. The goal is to allow the more rapid deployment of SIP-based IP-PBXs and making this part of the interconnection puzzle work that much better.

So if you are a vendor of a SIP server, whether you call it an IP-PBX, a call server, or whatever... or you are a SIP service provider seeking to connect to SIP servers at your customers - in either case you have SIPconnect that you can use to be "SIP-compliant".

But what about the other roles?

What if a vendor has multiple products?

What if a service provider or enterprise is just trying to get "SIP" products to work together? What should they specify beyond the vague statement that a product should support "SIP"?

Do we need a new IETF document that aims to update RFC 5411 with a newer list and perhaps "profiles" of what would be needed for different roles?

Is this something the SIP Forum or some other organization should take on?

Has someone else already created a concise list/document/specification and I just haven't yet found it?

And perhaps the even larger question:

Do you believe this is an issue that we collectively should be working on as an industry to help make the deployment of SIP easier?

What do you think? How do we define SIP in 2014? What should we do? I'd love to hear your comments either in response to this post here on this blog or out on social media where this is posted. (Thanks!)

July 29, 2013

Can we create a "secure Caller ID" for IP-based communications, a.k.a. voice-over-IP (VoIP)? And specifically for VoIP based on the Session Initiation Protocol (SIP)? Can we create a way to securely identify the origin of a call that can be used to combat robocalling, phishing and telephony denial-of-service (TDOS) attacks?

Over the last decade, a growing set of problems have resulted from the lack of security mechanisms for attesting the origins of real-time communications. As with email, the claimed source identity of a SIP request is not verified, and this permits unauthorized use of source identities as part of deceptive and coercive activities, such as robocalling (bulk unsolicited commercial communications), vishing (voicemail hacking, and impersonating banks) and swatting (impersonating callers to emergency services to stimulate unwarranted large scale law enforcement deployments). This working group will define a deployable mechanism that verifies the authorization of the calling party to use a particular telephone number.

The agenda for tomorrow's STIR meeting begins with a presentation by Henning Schulzrinne, now CTO of the US Federal Communications Commission (FCC) but also a long-time IETF participant and one of the co-authors of the original RFC 3261 specification for SIP. Henning will be laying out the problem statement and there will be a discussion of the proposed scope of the IETF work. He'll be followed by presentations of potential solutions by Jon Peterson, Eric Rescorla and Hadriel Kaplan and then a discussion of the proposed charter and the work to be done.
Given the intense debate that has occurred on the STIR mailing list over the past weeks I expect tomorrow's session to be one where some points will receive a great amount of passionate debate and discussion. (If you are interested in listening in or participating remotely in tomorrow's STIR meeting, see the information later in this article.)

The "Revisited" part of the group name is a nod to the fact that this whole issue of asserting "identity" has been explored within the SIP community in the past. Way back in 2006, RFC 4474 defined what has been called "SIP Identity" and provided a method for cryptographically signing certain SIP headers to identify the origin of a call. Unfortunately, RFC 4474 turned out not to work well with the way SIP was actually deployed and so usage has been virtually non-existent. An effort to update that document, what is called "RFC4474bis", has also been proposed and some of those ideas may be incorporated into the new proposed work for the STIR group.

There have also been other efforts such as the "P-Asserted-Identity (P-A-I)" defined in RFC 3325. The challenge here, though is that theoretically P-A-I is supposed to be limited to usage within a trusted network, although in practice it may be seen by other networks. There have also been several efforts to define or document identifiers for billing purposes (including my own P-Charge-Info) although these efforts are trying to solve a slightly different problem.

The point here really is that the STIR effort is drawing upon a rich body of "SIP identity" work that dates all the way back to some early drafts in 2002. Much thought has been given to this issue and many of the people involved with STIR have also been involved with earlier efforts and understand well some of the challenges faced by that past work.

An Important Difference

One important difference between STIR and earlier "SIP identity" efforts is that initially the STIR effort is only focused on telephone numbers. The draft charter explicitly states this:

As its first work item, the working group will specify a SIP header-based authorization mechanism to verify the originator of a SIP session is authorized to use the claimed source telephone number, where the session is established with SIP end to end. This is called an in-band mechanism. The mechanism will use a canonical telephone number representation specified by the working group, including any mappings that might be needed between the SIP header fields and the canonical telephone number representation.

and later:

Expansion of the authorization mechanism to identities using the
user@domain form deferred since the main focus of the working group is to develop a solution for telephone numbers.

Previous "identity" work was also undertaken to include a "SIP URI" or "SIP address" and while the ultimate STIR mechanism (or a variant thereof) might also work for SIP URIs, the focus in this initial work is all around securing the origin identification of telephone numbers.

This initial focus makes a great amount of sense given that so much of the SIP traffic today is a result of telecom service providers moving their regular calls to telephone numbers off of the legacy PSTN networks and over to IP networks where they use SIP. Additionally, a great amount of the "problem" traffic seen in VoIP today can be created by attackers who use simple VoIP software to generate their calls to regular telephone numbers.

Remotely Participating In Tomorrow's STIR BOF

If you are interested in participating in the meeting (or at least listening in) on Tuesday, July 30, the meeting will go from 9:00 - 11:30 local time in Berlin, Germany. Berlin is in Central European Summer Time (CEST) which is UTC+2 (and 3:00 am US EDT / midnight US PDT for my friends back in the USA).

The list is open to anyone to join. There are no membership or corporate requirements or fees - anyone with an email address may participate.

WARNING! - As can be seen in the list archive, there is currently a large volume of discussion and it will probably continue for some time. If you do join the mailing list you may want to consider setting up rules to sort the STIR email into a folder - or just prepare for the volume to be added to your inbox.

The other way to be involved is to monitor and read the documents that are created for the STIR effort. Newer documents are being created with "stir" in the document name and so they can be easily found at:

Other documents that are useful to understand this effort are linked to earlier in this article and can also be found in the text of the proposed STIR charter. After tomorrow's STIR BOF session there will be more information about how the effort will proceed within the IETF. The meeting tomorrow should result, I expect, in the recommendation to go ahead with formally creating a working group and undertaking this work, but we'll see what outcome occurs.

Can a method of secure origin identification for SIP-based VoIP calls be created? Given that basically all telecom traffic is in the process of moving to be based on IP, the need for a secure origin identifier is very clearly here - and many of us do believe we can develop a system that will work in today's environment.

What do you think? Are you ready to join in and help?

Update: Added the additional charter text about "Expansion of the authorization mechanism to identities..."

Want to learn more about the Opus codec and why it is so important? As I mentioned at the end of my last post about why Opus matters, there will be a special presentation about Opus as part of the IETF 87 Technical Plenary happening in about 2 hours starting at around 17:45-18:00 in Berlin, Germany (Central European Summer Time, UTC+2, 6 hours off of US Eastern time).

July 26, 2013

What makes the Opus codec so interesting? Why is there such a buzz about Opus right now? If you are not in telecom or doing anything with audio, why should you even remotely care about Opus?

In a word...

Innovation!

And because Opus has the potential to let us communicate with each other across the Internet with a richer and more natural sound. You will be able to hear people or music or presenters with much more clarity and more like you are right there with them.

Opus can help build a better user experience across the Internet.

You see, the reality is that today "real-time communication" using voice and video is increasingly being based on top of the Internet Protocol (IP), whether that communication is happening across the actual Internet or whether it is happening within private networks. If you've used Skype, Google+ Hangouts, any voice-over-IP (VoIP) softphones, any of the new WebRTC apps or any of the mobile smartphone apps that do voice or video, you've already been using IP-based real-time communication.

Dropping The Shackles Of The Legacy PSTN

Part of the beauty of the move to IP is that we no longer have to worry about the constraints imposed upon telecom by the legacy Public Switched Telephone Network (PSTN). Chief among those constraints is the requirement to use only part of the sound frequencies we can hear. You all know the "sound" of the telephone - and you hear it in any movie or TV show when someone is using the phone. It's that certain "sound" that we are all used to... that's what the "phone" sounds like.

In technical terms, we call this "narrowband" audio and it has a frequency range of only 300-3400 Hz.

There are historical reasons for this limitation in telecom, but moving to IP-based communications removes those limits. With VoIP we can use what is called "wideband" audio to have a full rich sound to our voice or video call.

Have you had a really good Skype connection with someone where it sounded like they were almost right there in the room with you?

That is wideband audio.

The Codec Problem

Now, for voice or video over IP to work, you need to use something called a "codec" to translate the sound of your voice to digital bits and carry them across the network (and to do the opposite for whomever you are speaking with). There are MANY audio codecs out there and they come in all sorts of flavors and with all different kinds of capabilities. The problem has been that there hasn't been a codec that:

is optimized for interactive Internet applications;

is published by a recognized standards organization; and

can be widely implemented and easily distributed at little or no cost.

In particular that last point about the cost of licensing, especially for wideband codecs, often caused developers to shy away from giving us the rich voice quality that we can now have with IP. Or, in the case of companies like Skype or Google, they went out and bought companies who created wideband codecs so that they could use those codecs in their products. (See my story from 2010 about Google buying GIPS.)

Now there are free codecs out there that developers can use. For narrowband, there has been the ubiquitous G.711 which provides an IP version of "PSTN audio". There have been many others, including notably Speex.

But the struggle has been that there hasn't been a widely accepted "G.711 for wideband" equivalent that developers can just bake into their products and start using. Instead there have been a number of different, incompatible codecs used in different products.

Enter Opus...

So to address these points, back in 2010, engineers within the IETF got together and formed the CODEC Working Group to come up with a codec that could meet these requirements and become the ubiquitous wideband codec used across the Internet. Skype was involved early on through contributing their SILK codec. The folks at Xiph.org contributed their CELT codec. People from many other companies got involved and there were huge technical discussions on the mailing lists and at IETF meetings.

Opus is a totally open, royalty-free, highly versatile audio codec. Opus is unmatched for interactive speech and music transmission over the Internet, but is also intended for storage and streaming applications.

So Why Does Opus Matter?

Opus matters because it lets developers focus on creating a high quality user experience and not having to worry about codec incompatibilities and licensing issues.

Opus matters because it lets developers easily create applications with high quality audio. They can just start using available libraries and communicating with other applications and devices using a common wideband codec.

Opus matters because it can work in very low-bandwidth environments enabling real-time communications across Internet connections that might not previously have supported such communications. As we start to get more Internet connectivity out to the 5 billion people not yet on the Internet, the ability to work over different kinds of connections is critical.

Opus matters because it can help foster innovation in applications and the user experience. Opus is the default audio codec for WebRTC, and so all the zillion new WebRTC-based apps and startups are already beginning with a far superior audio experience than we've had before.

Opus matters because it will enable even more ways that we can connect with family members or friends and have the experience of being "right there". It can help musicians collaborate better across the Internet. It can help podcasters and journalists deliver higher quality interviews across the Internet. It can, in the best conditions, give us that rich audio experience we get when we are right with someone - even though we may be thousands of miles away.

Opus can help us deliver on the potential of the Internet to create more powerful user experiences and to help us better communicate.

THAT is why Opus matters.

Learn More At Monday's IETF 87 Technical Plenary

To understand more about the current status of Opus, who is using it and where it is going, the IETF 87 Technical Plenary on this coming Monday evening in Berlin, Germany, will have a special segment focused on Opus that will include a number of people involved with the Opus work. The agenda for the session can be found at:

It is happening from 17:40-19:40 Berlin time, which is Central European Summer Time, which is currently UTC+2 and 6 hours ahead of where I live in US Eastern time. If you can't be there in person, there are several remote options:

If you are unable to watch the meeting in real time it will be archived for later viewing.

The first option above to listen to the session using the Opus codec (and WebRTC!) is a very cool one. The panel also includes people who have actually implemented Opus including people from Google and also Emil Ivov from the Jitsi softphone. Their insight into what they did will be great to hear.

If you are a developer of communications apps or services (or a product manager), you can look at how to incorporate Opus into your application or service. There is documentation and software available to help with the process, and many people are out there who can help.

If you are a user of IP-based communications apps or services, ask the company or vendor behind those services when they will support Opus. See if you can get it on their radar as something to implement.

And regardless of what you do with audio, let people know that this new way of communicating exists - help spread the word about Opus - let people know that audio across the Internet can be even better than it has been to date.

As you can tell, I'm excited about the potential - and very much looking forward to seeing what happens as Opus gets more widely deployed.

What do you think? If you are a telecom developer, or a vendor of such services, have you implemented Opus already? Are you thinking about it? (and if not, why not?)

On that note, the RTCWEB working group within the IETF will be meeting next week in Berlin (twice, actually) and has an agenda for IETF87 focused primarily on security questions and looking at the "data channel" aspect of WebRTC/RTCWEB. It should, as always, be an interesting session to listen in to.

If you can't get to Berlin, there are audio streams you can listen to remotely and a Jabber chat room where you can raise questions. Links to both can be found on the top of the agenda page. Do keep in mind that the times listed are local to Berlin, Germany.

March 11, 2013

In about 15 minutes, at 5:30pm US Eastern At around 6:00pm US EDT, Henning Schulzrinne, CTO of the US Federal Communications Commission (FCC) will be speaking on "The End of Plain Old Telephone System (POTS): Transitioning the PSTN to IP" at the technical plenary of the 86th IETF meeting happening this week in Orlando, Florida. You can listen or watch here:

November 01, 2012

Sadly, the Big "C", the current unwelcome guest in our family, has claimed another activity that I enjoy. Next week is the 85th meeting of the Internet Engineering Task Force (IETF). Some 1,200+ engineers will gather in Atlanta, Georgia, to discuss/debate/argue/evolve the open standards that make up the Internet. Things like TCP, HTTP, DNS, SIP, IPv6... all those protocols and their many, many offspring.

For people who enjoy the process that creates these standards - and who enjoy the people that make up the IETF - these three-times-yearly face-to-face meetings are amazing places to be. One of the many aspects I enjoy of my work with the Internet Society is that I get to go to the IETF meetings and be part of all that is going on.

Unfortunately, I won't be in Atlanta.

As I've mentioned in the past and written about publicly, my wife is in the second year of treatment for breast cancer. Every three weeks she goes in for an infusion of a drug called Herceptin, which is an antibody that goes after the HER2 protein. She has the treatment on a Monday and then is usually extremely fatigued for the next few days. Generally by Wednesday afternoon or Thursday she's feeling a bit better, but still fatigued. Unfortunately it seems that she's perhaps experiencing more of a "cumulative fatigue," as the recent treatments seem to have had more of an effect - it seems like they are getting harder instead of easier. As a spouse, it's rather painful to watch what these treatments do to her. We can only hope that these are in fact helping fight her cancer.[1]

Next week happens to line up with one of those treatment weeks. I was away for a couple days during the last treatment week and while we have truly incredible friends and family around to help (and they have been helping), the reality is that they can't be there all the time. And so with me away my wife is single-parenting two very active children while feeling like she is moving through molasses.

So I need to be here. The good news is that we only have a few more of these treatments and she'll be free of them by mid-January. Hopefully after that our lives can start to return to a bit more of a normal routine, albeit our "new normal" of a post-chemo-and-still-taking-Tamoxifen world.

The other good news is that the IETF provides multiple ways for people to participate remotely in the meetings. With thousands of engineers all around the globe participating in IETF activities, I'm obviously not the only person who can't attend a given meeting face-to-face. Some people can't travel for family or work reasons... some can't for financial reasons... some can't because they can't get visas to visit the country where the meeting is taking place. Many folks need to participate remotely.

The great aspect for me is that Atlanta is in the same time zone as I am so I won't need to be up in the middle of the night to participate. I can just work "regular" hours and be listening to the audio streams and participating in the jabber chat rooms.

No, it's not as good as being there. You miss out on all the hallway conversations, side meetings, meals, etc., and you can't be there at the microphones to make your points in your own voice. But it is at least possible to participate.

To all the folks I know who will be there in Atlanta, I hope you have a great and productive event! I'll look forward to seeing you all at IETF 86 in March... meanwhile, I'll see you all online during IETF 85. :-)

[1] And yes, sometime I need to write a rant in my series of cancer columns about the fact that the current research regarding Herceptin has so far only shown that "52 weeks" of treatment is effective. It might, in fact, be equally effective in a much shorter timeframe... but the studies have apparently not yet been done to show that.

July 25, 2012

Do you want to help get open standards like IPv6 and DNSSEC more widely deployed? Would you like to see other technologies developed by the Internet Engineering Task Force (IETF) more rapidly adopted by network operators?

Are you passionate about the need to preserve the open nature of the Internet? Do you like to write, speak and create other forms of content? Would you like to be part of the Internet Society, the global nonprofit that serves as the organizational home of the IETF?

You can read read the job description for what is called the "Operational Engagement Programme Manager". As noted in the document:

The Operational Engagement Programme Manager is a newly created position within the Internet Society. This position will report to the Director, Deployment and Operationalization. The primary focus areas of this position will be to: 1) develop and coordinate increased industry collaboration and conversations about the operationalization of Internet technologies; 2) work with targeted audiences around the globe to develop operational documentation on technology topics covered by the Internet Society Deploy360 Programme including, but not limited to, IPv6 and DNSSEC.

The job description goes on to list out the responsibilities and desired qualifications... the key point is that we're looking for someone who can help us expand the work we're doing in creating content that helps people deploy technologies such as IPv6 and DNSSEC. We're a small, fast-moving team that is highly focused on finding and creating the best possible content and promoting that through many different channels.

If you join our team, you'll be writing for the Deploy360 site and probably working with video, too. You'll be interacting with network operators through various online channels, including social media. You'll be speaking at events scattered all around the world.

Additionally, THIS IS A "TELEWORKING"/VIRTUAL POSITION! You do NOT have to be located in our Geneva, Switzerland, or Reston, Virginia, offices, but can be located anywhere. You can, just like me, work out of a home office. (There's this wee little thing called the Internet that makes this possible!)

One note - you MUST have experience with the IETF, so if you have never interacted with the IETF... well... don't bother applying! Experience with other operator groups is also very important.

If you're interested, the job description has contact information and instructions. We're also going to be out at IETF 84 in Vancouver next week speaking to people about this new role and would be glad to meet with you there. We have already received applications, so if you are interested, please contact us soon!

We've got a lot of great plans ahead of us... and we're looking for the right person to join our team. Please do check it out and consider applying!

June 21, 2012

How do we manage network congestion as we move real-time voice, video, chat and data communication into web browsers? How do we make sure browser-based voice/video doesn't overwhelm the local network?

If you've been following the excellent work of the WebRTC/RTCWEB initiative you'll know that developers are already using developer builds of browsers like Google Chrome and Mozilla Firefox to move real-time communications (RTC) directly into web browsers - without using Flash or Java plugins.

It's a powerful step to bake real-time communications into the very fabric of the Web. It stands to open up a zillion new opportunities for innovative uses of voice and video... and can fundamentally disrupt so many aspects of today's telecommunications.

It also stands a chance of completely swamping today's networks with RTC traffic!

So what do we do? How do make sure that browser-based RTC plays nice with other traffic? How do we help it succeed?

The workshop is free of charge, and even has the possibility for remote participation, but you must be invited to attend. It is a working session and the organizers, the Internet Architecture Board (IAB) and Internet Research Task Force (IRTF), are requiring all potential attendees to submit a position paper basically explaining why they want to attend. More information and details can be found here:

So if you want to participate in what should be an extremely interesting session, you need to go now and submit a paper for consideration.

It's an extremely important topic - and one that must be addressed for WebRTC/RTCWEB to truly be the innovative force that it can be. I hope you'll consider participating!

P.S. If you can't attend that particular day, the outcome of the event will definitely be discussed on the IETF's rtcweb mailing list (Warning - high traffic!!!). Anyone can join that list so you subscribe if you'd like to monitor what is going on. (Did I mention that the list has a high volume of traffic?)

For those who aren't familiar with the IETF, I recently came across this great video that explains the basics of what the IETF does:

The IETF is a great organization that is truly open to anyone to get involved. All you need to do is sign up for one of the mailing lists for one of the working groups and start reading and then participating. You can also attend one of the face-to-face IETF meetings to get even more involved.

Anyway, if you're not familiar with the IETF, do check out this video as it is a great intro!